update wstrigger

David Wertenteil · David Wertenteil · commit f7d1d2c4b839 · 2022-05-01T22:29:51.000+03:00
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,7 +1,5 @@
 FROM golang:1.18-alpine as builder
 
-ENV RELEASE=$image_version
-
 ENV GO111MODULE=
 
 ENV CGO_ENABLED=0
@@ -22,4 +20,7 @@ WORKDIR /home/armo/
 
 COPY --from=builder /work/build/trigger /usr/bin/trigger
 
+ARG image_version
+ENV RELEASE=$image_version
+
 ENTRYPOINT ["trigger"]
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/armosec/cluster-notifier-api-go v0.0.3
 	github.com/armosec/k8s-interface v0.0.70
 	github.com/armosec/logger-go v0.0.6
-	github.com/armosec/opa-utils v0.0.135
+	github.com/armosec/opa-utils v0.0.136
 	github.com/armosec/utils-go v0.0.5
 	github.com/armosec/utils-k8s-go v0.0.7
 	github.com/docker/docker v20.10.14+incompatible
@@ -17,7 +17,6 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.0
-	github.com/mitchellh/mapstructure v1.5.0
 	github.com/stretchr/testify v1.7.1
 	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
diff --git a/go.sum b/go.sum
@@ -146,8 +146,8 @@ github.com/armosec/k8s-interface v0.0.70 h1:NU3UIaNl7H3hsRecwggiaQbZXTwXtOKg3GOB
 github.com/armosec/k8s-interface v0.0.70/go.mod h1:8NX4xWXh8mwW7QyZdZea1czNdM2azCK9BbUNmiZYXW0=
 github.com/armosec/logger-go v0.0.6 h1:V8iMCC/XQ7Af88F/k3uWuDQskgLHUY5MXI5L1fMoPU8=
 github.com/armosec/logger-go v0.0.6/go.mod h1:ZnocpQc+z6phNJSLVfXgHcOW4rg4NCO70ApmF0Y7W6w=
-github.com/armosec/opa-utils v0.0.135 h1:7JMHGKMD13XWwwd4g11tw6T9C4BRPifDiqdeDJEz638=
-github.com/armosec/opa-utils v0.0.135/go.mod h1:mCFQzz4E227f7V2jQVQ9XCivkNNK3UWCTaZ0HE5rBWk=
+github.com/armosec/opa-utils v0.0.136 h1:WOflXgweEUZAbLwyB18x8cbIftGhp2M2UngGxIvQEPY=
+github.com/armosec/opa-utils v0.0.136/go.mod h1:mCFQzz4E227f7V2jQVQ9XCivkNNK3UWCTaZ0HE5rBWk=
 github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
 github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=
 github.com/armosec/utils-go v0.0.5 h1:+pfZirWrOvfqvVYlL7OG1wMQD4T4YMwC78zzosB+mlQ=
@@ -742,8 +742,6 @@ github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eI
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
diff --git a/main.go b/main.go
@@ -2,14 +2,13 @@ package main
 
 import (
 	"flag"
-	"fmt"
-	"io/ioutil"
 	"k8s-ca-websocket/cautils"
 	"k8s-ca-websocket/mainhandler"
 	"k8s-ca-websocket/notificationhandler"
 	"k8s-ca-websocket/notificationhandler/safemode"
 	"k8s-ca-websocket/restapihandler"
 	"k8s-ca-websocket/websocket"
+	"os"
 
 	"github.com/armosec/armoapi-go/apis"
 	"github.com/armosec/k8s-interface/k8sinterface"
@@ -82,15 +81,5 @@ func main() {
 }
 
 func displayBuildTag() {
-	imageVersion := "local build"
-	dat, err := ioutil.ReadFile("./build_number.txt")
-	if err == nil {
-		imageVersion = string(dat)
-	} else {
-		dat, err = ioutil.ReadFile("./build_date.txt")
-		if err == nil {
-			imageVersion = fmt.Sprintf("%s, date: %s", imageVersion, string(dat))
-		}
-	}
-	glog.Infof("Image version: %s", imageVersion)
+	glog.Infof("Image version: %s", os.Getenv("RELEASE"))
 }
diff --git a/mainhandler/handlerequests.go b/mainhandler/handlerequests.go
@@ -181,10 +181,8 @@ func (actionHandler *ActionHandler) runCommand(sessionObj *cautils.SessionObj) e
 		return actionHandler.scanWorkload(sessionObj)
 	case apis.SCAN_REGISTRY:
 		return actionHandler.scanRegistry(sessionObj)
-	case string(apis.TypeRunKubescape):
+	case string(apis.TypeRunKubescape), string(apis.TypeRunKubescapeJob):
 		return actionHandler.kubescapeScan()
-	case string(apis.TypeRunKubescapeJob): // deprecated
-		return actionHandler.runKubescapeJob()
 	case string(apis.TypeSetKubescapeCronJob):
 		return actionHandler.setKubescapeCronJob()
 	case string(apis.TypeUpdateKubescapeCronJob):
diff --git a/mainhandler/imageregistryhandler.go b/mainhandler/imageregistryhandler.go
@@ -2,10 +2,10 @@ package mainhandler
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/armosec/k8s-interface/cloudsupport"
 	"github.com/docker/docker/api/types"
-	"github.com/golang/glog"
 	"github.com/google/go-containerregistry/pkg/authn"
 	containerregistry "github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -39,26 +39,22 @@ func (regCreds *registryCreds) Authorization() (*authn.AuthConfig, error) {
 	if cloudsupport.CheckIsECRImage(regCreds.RegistryName) {
 		username, password, err = cloudsupport.GetLoginDetailsForECR(regCreds.RegistryName)
 		if err != nil {
-			glog.Infof("ECR get Authorization failed with err %v", err)
-			return nil, err
+			return nil, fmt.Errorf("ECR get Authorization failed with err %v", err.Error())
 		}
 		*regCreds.auth = types.AuthConfig{Username: username, Password: password}
 	} else if cloudsupport.CheckIsGCRImage(regCreds.RegistryName + "/") {
 		username, password, err = cloudsupport.GetLoginDetailsForGCR(regCreds.RegistryName)
 		if err != nil {
-			glog.Infof("GCR get Authorization failed with err %v", err)
-			return nil, err
+			return nil, fmt.Errorf("GCR get Authorization failed with err %v", err.Error())
 		}
 		*regCreds.auth = types.AuthConfig{Username: username, Password: password}
 	} else if cloudsupport.CheckIsACRImage(regCreds.RegistryName + "/") {
 		username, password, err = cloudsupport.GetLoginDetailsForAzurCR(regCreds.RegistryName)
 		if err != nil {
-			glog.Infof("GCR get Authorization failed with err %v", err)
-			return nil, err
+			return nil, fmt.Errorf("ACR get Authorization failed with err %v", err.Error())
 		}
 		*regCreds.auth = types.AuthConfig{Username: username, Password: password}
 	} else {
-		glog.Infof("try to get images with no creds from regustry %v", regCreds.RegistryName)
 		return &authn.AuthConfig{}, nil
 	}
 
diff --git a/mainhandler/kubescapehandler.go b/mainhandler/kubescapehandler.go
@@ -104,7 +104,6 @@ func (actionHandler *ActionHandler) kubescapeScan() error {
 	if err != nil {
 		return err
 	}
-
 	resp, err := httputils.HttpPost(http.DefaultClient, getKubescapeV1ScanURL().String(), nil, body)
 	if err != nil {
 		return err
diff --git a/mainhandler/kubescapehandlerhelper.go b/mainhandler/kubescapehandlerhelper.go
@@ -13,7 +13,6 @@ import (
 	"github.com/armosec/armoapi-go/apis"
 	"github.com/armosec/k8s-interface/k8sinterface"
 	utilsmetav1 "github.com/armosec/opa-utils/httpserver/meta/v1"
-	"github.com/armosec/utils-go/boolutils"
 	v1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -48,7 +47,7 @@ func getKubescapeV1ScanRequest(args map[string]interface{}) (*utilsmetav1.PostSc
 	// validate
 	postScanRequest := &utilsmetav1.PostScanRequest{}
 	if err := json.Unmarshal(scanV1Bytes, postScanRequest); err != nil {
-		return nil, fmt.Errorf("failed to convert request to v1/scan object")
+		return nil, fmt.Errorf("failed to convert request to v1/scan object, reason: %s", err.Error())
 	}
 
 	return postScanRequest, nil
@@ -70,7 +69,7 @@ func readKubescapeV1ScanResponse(resp *http.Response) (*utilsmetav1.Response, er
 	}
 
 	if err := json.Unmarshal(bodyBytes, response); err != nil {
-		return nil, fmt.Errorf("failed to convert response object")
+		return nil, fmt.Errorf("failed to convert response object, reason: %s", err.Error())
 	}
 
 	return response, nil
@@ -136,11 +135,9 @@ func convertRulesToRequest(args map[string]interface{}) error {
 	}
 
 	postScanRequest := &utilsmetav1.PostScanRequest{}
-	postScanRequest.Submit = boolutils.BoolPointer(true)
 	for i := range rulesList {
 		postScanRequest.TargetType = utilsapisv1.NotificationPolicyKind(rulesList[i].Kind)
 		postScanRequest.TargetNames = append(postScanRequest.TargetNames, rulesList[i].Name)
-
 	}
 	args[cautils.KubescapeScanV1] = postScanRequest
 	return nil
diff --git a/mainhandler/vulnscan.go b/mainhandler/vulnscan.go
@@ -162,7 +162,7 @@ func (actionHandler *ActionHandler) scanWorkload(sessionObj *cautils.SessionObj)
 	errs := ""
 	containers, err := getWorkloadImages(actionHandler.k8sAPI, actionHandler.wlid)
 	if err != nil {
-		return fmt.Errorf("cant get workloads from k8s, wlid: %s, reason: %s", actionHandler.wlid, err.Error())
+		return fmt.Errorf("failed to get workloads from k8s, wlid: %s, reason: %s", actionHandler.wlid, err.Error())
 	}
 
 	// we want running pod in order to have the image hash
@@ -182,9 +182,9 @@ func (actionHandler *ActionHandler) scanWorkload(sessionObj *cautils.SessionObj)
 
 			glog.Infof("wlid: %s, container: %s, image: %s, jobIDs: %s/%s/%s", websocketScanCommand.Wlid, websocketScanCommand.ContainerName, websocketScanCommand.ImageTag, actionHandler.reporter.GetParentAction(), websocketScanCommand.ParentJobID, websocketScanCommand.JobID)
 
-			if websocketScanCommand.ParentJobID != actionHandler.command.JobTracking.ParentID {
-				glog.Errorf("websocket command parent: %v, child: %v, VS actionhandler.command parent: %v child %v", websocketScanCommand.ParentJobID, websocketScanCommand.JobID, actionHandler.command.JobTracking.ParentID, actionHandler.command.JobTracking.JobID)
-			}
+			// if websocketScanCommand.ParentJobID != actionHandler.command.JobTracking.ParentID {
+			// 	glog.Errorf("websocket command parent: %v, child: %v, VS actionhandler.command parent: %v child %v", websocketScanCommand.ParentJobID, websocketScanCommand.JobID, actionHandler.command.JobTracking.ParentID, actionHandler.command.JobTracking.JobID)
+			// }
 		}
 		for contIdx := range pod.Status.ContainerStatuses {
 			if pod.Status.ContainerStatuses[contIdx].Name == containers[i].container {
diff --git a/notificationhandler/websocket.go b/notificationhandler/websocket.go
@@ -105,7 +105,7 @@ func (notification *NotificationHandler) websocketReceiveNotification() error {
 			}
 			err := notification.handleNotification(notif)
 			if err != nil {
-				glog.Errorf("failed to handle notification: %s, %v,\t\t %v", messageBytes, err, notif)
+				glog.Errorf("failed to handle notification: %s, reason: %s", messageBytes, err.Error())
 			}
 		case websocket.CloseMessage:
 			return fmt.Errorf("websocket closed by server, message: %s", string(messageBytes))
diff --git a/notificationhandler/websocketutils.go b/notificationhandler/websocketutils.go
@@ -9,10 +9,7 @@ import (
 	"time"
 
 	"github.com/armosec/armoapi-go/apis"
-	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/cluster-notifier-api-go/notificationserver"
-	opapolicy "github.com/armosec/opa-utils/reporthandling"
-	"github.com/mitchellh/mapstructure"
 	"gopkg.in/mgo.v2/bson"
 
 	"github.com/golang/glog"
@@ -54,48 +51,57 @@ func NewCommands() interface{} {
 
 func parseNotificationCommand(notification interface{}) (*apis.Commands, error) {
 	cmds := &apis.Commands{}
-	if err := mapstructure.Decode(notification, cmds); err != nil {
-		return nil, fmt.Errorf("parseNotificationCommand: failed to convert notification payload to commands structure")
-	}
 
-	return cmds, nil
+	var notificationBytes []byte
+	var err error
+	switch b := notification.(type) {
+	case []byte:
+		notificationBytes = b
+	default:
+		if notificationBytes, err = json.Marshal(notification); err != nil {
+			return nil, fmt.Errorf("failed to marshal notification payload from command, reason: %s", err.Error())
+		}
+	}
+	if err = json.Unmarshal(notificationBytes, cmds); err != nil {
+		return nil, fmt.Errorf("failed to convert notification payload to commands structure, reason: %s", err.Error())
+	}
+	return cmds, err
 }
-
 func (notification *NotificationHandler) handleNotification(notif *notificationserver.Notification) error {
 	dst := notif.Target["dest"]
 	switch dst {
-	case "kubescape":
-		// sent by this function in dash BE: KubescapeInClusterHandler
-		policyNotificationBytes, ok := notif.Notification.([]byte)
-		if !ok {
-			return fmt.Errorf("handleNotification, kubescape, failed to get policyNotificationBytes")
-		}
-		policyNotification := &opapolicy.PolicyNotification{}
-		if err := json.Unmarshal(policyNotificationBytes, policyNotification); err != nil {
-			return fmt.Errorf("handleNotification, kubescape, failed to Unmarshal: %v", err)
-		}
-
-		sessionOnj := cautils.NewSessionObj(&apis.Command{
-			CommandName: string(policyNotification.NotificationType),
-			Designators: []armotypes.PortalDesignator{policyNotification.Designators},
-			JobTracking: apis.JobTracking{JobID: policyNotification.JobID},
-			Args: map[string]interface{}{
-				"kubescapeJobParams": policyNotification.KubescapeJobParams,
-				"rules":              policyNotification.Rules},
-		}, "WebSocket", "", policyNotification.JobID, 1)
-		*notification.sessionObj <- *sessionOnj
-
-	case "trigger":
+	// case "kubescape":
+	// 	// sent by this function in dash BE: KubescapeInClusterHandler
+	// 	policyNotificationBytes, ok := notif.Notification.([]byte)
+	// 	if !ok {
+	// 		return fmt.Errorf("handleNotification, kubescape, failed to get policyNotificationBytes")
+	// 	}
+	// 	policyNotification := &opapolicy.PolicyNotification{}
+	// 	if err := json.Unmarshal(policyNotificationBytes, policyNotification); err != nil {
+	// 		return fmt.Errorf("handleNotification, kubescape, failed to Unmarshal: %v", err)
+	// 	}
+
+	// 	sessionOnj := cautils.NewSessionObj(&apis.Command{
+	// 		CommandName: string(policyNotification.NotificationType),
+	// 		Designators: []armotypes.PortalDesignator{policyNotification.Designators},
+	// 		JobTracking: apis.JobTracking{JobID: policyNotification.JobID},
+	// 		Args: map[string]interface{}{
+	// 			"kubescapeJobParams": policyNotification.KubescapeJobParams,
+	// 			"rules":              policyNotification.Rules},
+	// 	}, "WebSocket", "", policyNotification.JobID, 1)
+	// 	*notification.sessionObj <- *sessionOnj
+
+	case "trigger", "kubescape":
 		cmds, err := parseNotificationCommand(notif.Notification)
 		if err != nil {
 			return err
 		}
 		for _, cmd := range cmds.Commands {
-			sessionObj := cautils.NewSessionObj(&cmd, "WebSocket", "", "", 1)
+			sessionObj := cautils.NewSessionObj(&cmd, "WebSocket", cmd.JobTracking.ParentID, cmd.JobTracking.JobID, 1)
 			*notification.sessionObj <- *sessionObj
 		}
 
-	case "", "safeMode":
+	case "safeMode":
 		safeMode, e := parseSafeModeNotification(notif.Notification)
 		if e != nil {
 			return e
diff --git a/notificationhandler/websocketutils_test.go b/notificationhandler/websocketutils_test.go
@@ -1 +1,16 @@
 package notificationhandler
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var mockCommandRunKubescapeJob = `{"commands":[{"CommandName":"runKubescapeJob","responseID":"","jobTracking":{"jobID":"6be09aad-a376-4d6b-97ad-8d1a75fce89d","timestamp":"0001-01-01T00:00:00Z"},"args":{"kubescapeJobParams":{"clusterName":"dwertent","frameworkName":"DevOpsBest","jobID":"6be09aad-a376-4d6b-97ad-8d1a75fce89d"},"scanV1":{"targetNames":["DevOpsBest"],"targetType":"Framework"}},"designators":[{"designatorType":"","attributes":{"cluster":"dwertent"}}]}]}`
+
+func TestParseNotificationCommand(t *testing.T) {
+	cmd, err := parseNotificationCommand([]byte(mockCommandRunKubescapeJob))
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(cmd.Commands))
+	assert.Equal(t, "runKubescapeJob", cmd.Commands[0].CommandName)
+}

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,6 @@ func (actionHandler *ActionHandler) kubescapeScan() error {`
`104`	`104`	`if err != nil {`
`105`	`105`	`return err`
`106`	`106`	`}`
`107`		`-`
`108`	`107`	`resp, err := httputils.HttpPost(http.DefaultClient, getKubescapeV1ScanURL().String(), nil, body)`
`109`	`108`	`if err != nil {`
`110`	`109`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ func (notification *NotificationHandler) websocketReceiveNotification() error {`
`105`	`105`	`}`
`106`	`106`	`err := notification.handleNotification(notif)`
`107`	`107`	`if err != nil {`
`108`		`- glog.Errorf("failed to handle notification: %s, %v,\t\t %v", messageBytes, err, notif)`
	`108`	`+ glog.Errorf("failed to handle notification: %s, reason: %s", messageBytes, err.Error())`
`109`	`109`	`}`
`110`	`110`	`case websocket.CloseMessage:`
`111`	`111`	`return fmt.Errorf("websocket closed by server, message: %s", string(messageBytes))`